Attack detection and investigation are an iterative process in practice, in which security analysts still play an important role as of today. Security systems for attack detection and investigation need to be designed with this human-in-the-loop aspect in mind. A practical, reliable attack detection system is not just a classification system. Rather, it facilitates the investigation process in unearthing the root causes and attack ramifications, by providing contextualized and more interpretable detection results. Security analysts often find it difficult and time consuming to investigate on, associate and understand the detection results of currently deployed security systems. A swift and accurate attack detection & investigation process is crucial for timely and proper attack recovery & remediation. To support speedy and thorough attack detection & investigation, provenance-based security systems have been proposed over the past few years. These systems have proven to be inherently suitable for this critical mission: providing security analysts with insightful, contextualized, and actionable detection results for further investigation in a highly automated manner. Provenance-based systems produce attack graphs by parsing system logs recording what has occurred in a computer system at a fine-granular level. Such graphs manifest and link causally related system activities. Given a suspicious event as a starting point, a backward tracing and forward tracing in a graph can quickly expose more related malicious system activities caused by attackers, i.e., the root cause and attack ramifications, respectively. Provenance-based security systems have demonstrated excellent performance in reducing false alarms, supplying security analysts with accurate and self-explanatory attack graphs, in particular for sophisticated attacks conducted by Advanced Persistent Threat (APT) actors. Despite the success, our examination of existing provenance-based systems yields the finding that these systems suffer from several major limitations, and can be rendered ineffective facing evasive real-world APT actors. First, they are fundamentally susceptible to evasive attacks employing persistence techniques. Second, existing provenance-based systems are limited to tracing inside a single machine, and unable to trace across machines and reveal the extend of attackers’ traversal inside a network. Third, these systems only process system logs from general-purpose OS like Windows and Linux, but not logs from devices of embedded systems. To tackle the first weakness of prior provenance-based systems, we present CPD, which is, to our knowledge, the first system specialized for persistence detection, and hence multi-phase APT detection and investigation. CPD is powered by two novel concepts: pseudo-dependency edges, which effectively reconnect fragmented attack graphs resulted from persistence techniques, and expert-guided edges, which capacitate faster tracing and reduced log size. Moreover, we create HADES to overcome the second constraint of provenance-based systems in combating APT actors. HADES demonstrates, to our knowledge, the first approach capable of performing accurate causality-based cross-machine tracing. In HADES, we introduce a lightweight authentication anomaly detection model and a novel concept called logon session-based execution partitioning and tracing, which together empower efficient and accurate cross-machine APT detection and investigation. Last, we design our third system COMMANDER to further strengthen the defense line against cross-machine multi-phase APT attacks. Our extensive analysis of APT threat reports reveals that HADES’s cross-machine tracing functionality is vulnerable to several evasive attack techniques routinely employed by APT actors: persistence, session hijacking, and port forwarding. Recognizing this, we introduce a modular design in COMMANDER, in which it integrates CPD with HADES, and incorporates another two specialized detectors for session hijacking and port forwarding, respectively. These specialized detectors make complementary contributions to safeguarding robust and correct whole network tracing, by delivering critical information to guide and adjust the tracing process. Moreover, COMMANDER is designed for detection and investigation of attacks against industrial-sector organizations. That is, it includes parsers for logs from some popular industrial controllers, and detection rules for attack techniques of APT actors on industrial control systems. COMMANDER can accurately attribute the malicious system activities on these industrial controllers to the true identity behind those actions, even if the access originates from the enterprise networks.